Submitted by Matt (not verified) on Mon, 2005/09/12 - 05:51.
Are you using MAQUERADE or regular SNAT? From the iptables manpage:
MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain.
It should only be used with dynamically assigned IP (dialup) connec-
tions: if you have a static IP address, you should use the SNAT target.
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down. This is the
correct behavior when the next dialup is unlikely to have the same
interface address (and hence any established connections are lost any-
way).
If memory serves MASQUERADE works just as advertised. Of course it could've been broken in more recent versions of netfilter and/or the kernel. I haven't tried it with 2.6 yet, for example.
use masquerade
Are you using MAQUERADE or regular SNAT? From the iptables manpage:
MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain.
It should only be used with dynamically assigned IP (dialup) connec-
tions: if you have a static IP address, you should use the SNAT target.
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down. This is the
correct behavior when the next dialup is unlikely to have the same
interface address (and hence any established connections are lost any-
way).
If memory serves MASQUERADE works just as advertised. Of course it could've been broken in more recent versions of netfilter and/or the kernel. I haven't tried it with 2.6 yet, for example.